Security Professionals Hope AI Will Solve What Ails Them

The 2019 Cybersecurity and Threat Preparedness Survey found that 65% of the cybersecurity and IT executives surveyed believe that artificial intelligence and machine learning will be able to solve more security problems than humans can solve.

Sounds like wishful thinking to me. In fact, the survey found that 64% of respondents have yet to deploy artificial intelligence/machine learning into their environments. Still, respondents could use the help as 76% cited the complexity of their security technology stack and 75% cited the volume and sophistication of attacks as their biggest pain points.

In fact, 39% indicated that their company isn’t as prepared as they need be to effectively manage a data breach.  

In surveys from previous years, such as we covered in the post Think Automation and AI Will Help Close Your Cybersecurity Skills Gap?, a Ponemon study conducted in 2018 showed that While 85 percent of respondents don’t think AI/machine learning is a dependable and trusted security tool today, a 23 percent think it will be within a year to two years and another third, or 33 percent believe that it will be more than two years out when that happens. Two years out from the time of that study has passed. Perhaps things will improve in another two years.

The cybersecurity skills gap was just as pressing then, as it is today (regardless if one thinks the skills gap is self-inflicted by poor hiring rules or an actual dearth in skills) and one of the primary hopes of closing that gap (in addition to hiring as many skilled security staff as possible) remains artificial intelligence and automation.

Two years ago, respondents to that Ponemon survey believed that automation and artificial intelligence would enable their security staff to focus on more pressing issues. Seventy-one percent believed that artificial intelligence would soon be a dependable and trusted security tool. Interesting, 29 percent did not believe back then that AI would ever be a trusted and dependable security tool.

A full 60 percent back then said that they would deploy automation to improve their IT security staffs’ ability to do their jobs and focus on more serious vulnerabilities and overall network security. They also hoped that automation would help them to streamline security staff efforts and be more productive.

The 2019 Cybersecurity and Threat Preparedness Survey, commissioned by managed security and consulting services provider Avertium, is based on responses from 223 cybersecurity and IT executives in the U.S. at organizations with more than 50 employees.

While the preponderance of respondents cited artificial intelligence as helping to solve their challenges managing their technology stack and the sophistication of attacks, they will be hiring more staff to manage these challenges instead of turning to machine intelligence. The survey found 52% plan to increase their cybersecurity teams next year.

It’s no surprise that respondents said phishing, at 81% and malware 67%, are the top two problems. After all, phishing attacks remain the top vector of attack. What is surprising, considering that both phishing and malware typically require some degree of affirmative user action, is that enterprises are investing relatively little into security awareness training among staff.

While more than 90% of those surveyed said that they have at least one security awareness process in place, 63% cited new employee orientation and less than half, 46%, said that they conduct annual security training efforts. On the bright side, I guess, is that 74% of respondents said that they dispatch security awareness emails and 58% perform periodic phishing tests.

While cybersecurity professionals cited the complexity of security technology and the quantity and sophistication of attacks as the top challenges, there were three other challenges that essentially tied for third place: third-party vulnerabilities at 66%, increased number of vulnerabilities due to digital transformation at 65% and the cost and complexity of achieving regulatory compliance at 65%.

I have no doubt that artificial intelligence will eventually be helpful enough to solve more security challenges than it does today, but enterprises can’t wait. They need to utilize the security tools that provide machine-based intelligence today but also hire the security professionals they need to manage the technology they have in place, and risks they face, today.